- Raton is a rare Android Trojan combining the NFC relay, superposition attacks and automated money transfers
- It targets banking applications and cryptographic wallets, theft of pins and recovery sentences
- Spooning via false Tiktok applications, it mainly targets users in tchicia and slovakia
Security researchers have discovered a rare strain of Android malware with “practically unknown” capacities – so far.
Earlier this week, Threat Fabric has published a detailed report on Raton, a remote Trojan horse (rat) with NFC relay capacities.
An NFC relay attack is when criminals use two devices to deceive a payment terminal thinking that a real card or a phone is present, even if it is elsewhere. A device (an infected) reads data from the victim’s card and instantly sends it to another device that makes payment on their behalf.
Raccoon
“The cases where a Troy evolves from a basic NFC relay tool in a sophisticated rat with automated transfer system capacities (ATS) are practically unknown,” said the threat fabric. “This is why the discovery of the new Trojan Raton by Mtimfabric Mtia analysts is particularly remarkable. Raton merges traditional superposition attacks with transfers of automatic funds and the NFC relay functionality – by making a only powerful threat. ”
Raton was assembled for the first time in early July 2025, with the latest version that appeared on August 29, which means that it is in active development. It mainly serves as an Android banking Troy, supporting devices and accounts. It also targets cryptocurrency wallets such as Metamask, Trust Wallet, Blockchain.com or Phantom, and can steal pins and recovery sentences.
Malware also uses superimpositions to deceive users and lock the devices, and transfer automated money using the George česko banking application. Given that George česko is a mobile banking application in tchicia, the researchers concluded that the attackers were targeting, first and foremost, individuals in tchy and Slovakia.
Malware is distributed via Google Play Store Usurpées pages. They were configured to display an adult version of the Tiktok application that hosted a malicious dropper.
Once installed, the dropper request requires certain authorizations from the victim, including one which allows him to download applications from third sources. If it is granted, it will deploy the second -stage payload and request additional authorizations, including dreaded accessibility services.
Via The Hacker News
